摘要
针对现有程序静态异常特征检测中存在的对未知变种识别率低的问题,提出一种基于静态行为轨迹的特征提取与检测方法。特征建模阶段采用变长n-gram算法对样本的函数调用序列进行特征建模,并从中提取异常特征;检测阶段通过对函数调用序列的分片所生成的轨迹段与特征库中的序列段进行匹配,并将可信度加入判决值的计算中,与判决阈值作比较,以克服静态基于字节序列的特征码检测误报率较高的缺陷。实验表明,基于静态行为轨迹的异常特征检测技术具有较高的准确率和较低的误报率。
In order to solve existing problems of difficult to identify variants in static program anomaly detection, this paper proposed a method based on feature extracting and anomaly detecting of static behavior trajectory feature and built feature mo- del with sequence of API through variable-length n-gram algorithm, and extracted anomalies. In the detection phase, in order to overcome the high false alarm rate of static signature detection based on sequence of bytes, research matched the trajectory segment generated by fragments of API sequence to sequence segments in feature library, and compared decision threshold with decision value by adding credibility in calculation as well. Experimental results prove the anomalies detection based on static behavior trajectory to be possessed with high accuracy and low false alarm rate.
出处
《计算机应用研究》
CSCD
北大核心
2017年第8期2434-2438,共5页
Application Research of Computers
基金
国家自然科学基金资助项目(61472447)
关键词
静态行为轨迹
变长n-gram
轨迹段
判决阈值
static behavior trajectory
variable-length n-gram
trajectory segments
threshold
